CVE-2020-5866 - OpenCVE

In versions of NGINX Controller prior to 3.3.0, the helper.sh script, which is used optionally in NGINX Controller to change settings, uses sensitive items as command-line arguments.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:L/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
F5	Nginx Controller

Configuration 1 [-]

OR	cpe:2.3:a:f5:nginx_controller::::::::
	cpe:2.3:a:f5:nginx_controller::::::::
	cpe:2.3:a:f5:nginx_controller:1.0.1:::::::*

No data.

References

Link	Providers
https://security.netapp.com/advisory/ntap-20200430-0005/
https://support.f5.com/csp/article/K11922628

History

No history.

MITRE

Status: PUBLISHED

Assigner: f5

Published: 2020-04-23T18:37:50

Updated: 2024-08-04T08:47:40.113Z

Reserved: 2020-01-06T00:00:00

Link: CVE-2020-5866

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-04-23T19:15:13.140

Modified: 2020-04-30T19:15:14.857

Link: CVE-2020-5866

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "NGINX Controller", "vendor": "n/a", "versions": [{"status": "affected", "version": "< 3.3.0"}]}], "datePublic": "2020-04-22T00:00:00", "descriptions": [{"lang": "en", "value": "In versions of NGINX Controller prior to 3.3.0, the helper.sh script, which is used optionally in NGINX Controller to change settings, uses sensitive items as command-line arguments."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-04-30T18:06:06", "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", "shortName": "f5"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://support.f5.com/csp/article/K11922628"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20200430-0005/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "f5sirt@f5.com", "ID": "CVE-2020-5866", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "NGINX Controller", "version": {"version_data": [{"version_value": "< 3.3.0"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In versions of NGINX Controller prior to 3.3.0, the helper.sh script, which is used optionally in NGINX Controller to change settings, uses sensitive items as command-line arguments."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://support.f5.com/csp/article/K11922628", "refsource": "CONFIRM", "url": "https://support.f5.com/csp/article/K11922628"}, {"name": "https://security.netapp.com/advisory/ntap-20200430-0005/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20200430-0005/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T08:47:40.113Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://support.f5.com/csp/article/K11922628"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20200430-0005/"}]}]}, "cveMetadata": {"assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", "assignerShortName": "f5", "cveId": "CVE-2020-5866", "datePublished": "2020-04-23T18:37:50", "dateReserved": "2020-01-06T00:00:00", "dateUpdated": "2024-08-04T08:47:40.113Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:f5:nginx_controller:*:*:*:*:*:*:*:*", "matchCriteriaId": "3CA86CB0-F33A-4B9C-AAFC-8AC3F0071A31", "versionEndIncluding": "2.9.0", "versionStartIncluding": "2.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:nginx_controller:*:*:*:*:*:*:*:*", "matchCriteriaId": "514454C8-5679-45CE-B21D-DB7225E616E8", "versionEndExcluding": "3.3.0", "versionStartIncluding": "3.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:nginx_controller:1.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "D96CC675-BA26-4E41-B8F1-63F643E022D0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In versions of NGINX Controller prior to 3.3.0, the helper.sh script, which is used optionally in NGINX Controller to change settings, uses sensitive items as command-line arguments."}, {"lang": "es", "value": "En las versiones de NGINX Controller anteriores a la versi\u00f3n 3.3.0, el script helper.sh, que es usado opcionalmente en NGINX Controller para cambiar la configuraci\u00f3n, usa elementos confidenciales como argumentos de l\u00ednea de comandos."}], "id": "CVE-2020-5866", "lastModified": "2020-04-30T19:15:14.857", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-04-23T19:15:13.140", "references": [{"source": "f5sirt@f5.com", "url": "https://security.netapp.com/advisory/ntap-20200430-0005/"}, {"source": "f5sirt@f5.com", "tags": ["Vendor Advisory"], "url": "https://support.f5.com/csp/article/K11922628"}], "sourceIdentifier": "f5sirt@f5.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}